Ch13 Protecting Networks with Security Devices
description
Transcript of Ch13 Protecting Networks with Security Devices
Hands-On Ethical Hacking Hands-On Ethical Hacking and Network Defenseand Network Defense
Chapter 13Chapter 13Protecting Networks with Security DevicesProtecting Networks with Security Devices
Last modified 6-4-09
ObjectivesObjectives
Describe network security devicesDescribe network security devices
Describe firewall technologyDescribe firewall technology
Describe intrusion detection systemsDescribe intrusion detection systems
Describe honeypotsDescribe honeypots
RoutersRoutersRouters are like intersections; switches are like Routers are like intersections; switches are like streets streets – Image from Wikipedia (link Ch 13a)Image from Wikipedia (link Ch 13a)
Router
Understanding RoutersUnderstanding Routers
Routers are hardware devices used on a Routers are hardware devices used on a network to send packets to different network to send packets to different network segmentsnetwork segments– Operate at the network layer of the OSI modelOperate at the network layer of the OSI model
Routing ProtocolsRouting Protocols
Routers tell one another what paths are Routers tell one another what paths are available with Routing Protocolsavailable with Routing Protocols– Link-state routing protocolLink-state routing protocol
Each router has complete information about every Each router has complete information about every network linknetwork link
Example: Open Shortest Path First (OSPF)Example: Open Shortest Path First (OSPF)
– Distance-vector routing protocolDistance-vector routing protocolRouters only know which direction to send Routers only know which direction to send packets, and how farpackets, and how far
Example: Routing Information Protocol (RIP)Example: Routing Information Protocol (RIP)
Cisco RoutersCisco Routers
Image from cisco.com (link Ch 13b)Image from cisco.com (link Ch 13b)
Understanding Basic Hardware Understanding Basic Hardware RoutersRouters
Cisco routers are widely used in the Cisco routers are widely used in the networking communitynetworking community– More than one million Cisco 2500 series More than one million Cisco 2500 series
routers are currently being used by companies routers are currently being used by companies around the worldaround the world
Vulnerabilities exist in Cisco as they do in Vulnerabilities exist in Cisco as they do in any operating systemany operating system– See link Ch 13cSee link Ch 13c
Cisco Router ComponentsCisco Router Components
Internetwork Operating System (IOS)Internetwork Operating System (IOS)
Random access memory (RAM)Random access memory (RAM)– Holds the router’s running configuration, Holds the router’s running configuration,
routing tables, and buffersrouting tables, and buffers– If you turn off the router, the contents stored in If you turn off the router, the contents stored in
RAM are wiped outRAM are wiped out
Nonvolatile RAM (NVRAM)Nonvolatile RAM (NVRAM)– Holds the router’s configuration file, but the Holds the router’s configuration file, but the
information is not lost if the router is turned offinformation is not lost if the router is turned off
Cisco Router ComponentsCisco Router Components
Flash memoryFlash memory– Holds the IOS the router is usingHolds the IOS the router is using– Is rewritable memory, so you can upgrade the Is rewritable memory, so you can upgrade the
IOSIOS
Read-only memory (ROM)Read-only memory (ROM)– Contains a minimal version of the IOS used to Contains a minimal version of the IOS used to
boot the router if flash memory gets corruptedboot the router if flash memory gets corrupted
Cisco Router ComponentsCisco Router Components
InterfacesInterfaces– Hardware connectivity pointsHardware connectivity points– Example: an Ethernet port is an interface that Example: an Ethernet port is an interface that
connects to a LANconnects to a LAN
Michael LynnMichael Lynn
He presented a major He presented a major Cisco security Cisco security vulnerability at the vulnerability at the Black Hat security Black Hat security conference in 2005conference in 2005He lost his job, was He lost his job, was sued, conference sued, conference materials were materials were confiscated, etc.confiscated, etc.– See links Ch 13 d, e, f, gSee links Ch 13 d, e, f, g
Cisco IOS is Cisco IOS is controlled from the controlled from the command linecommand line
The details are not The details are not included in this included in this classclass
Skip pages 324-Skip pages 324-329329
Understanding FirewallsUnderstanding Firewalls
Firewalls are hardware devices or software Firewalls are hardware devices or software installed on a system and have two installed on a system and have two purposespurposes– Controlling access to all traffic that enters an Controlling access to all traffic that enters an
internal networkinternal network– Controlling all traffic that leaves an internal Controlling all traffic that leaves an internal
networknetwork
Hardware FirewallsHardware Firewalls
Advantage of hardware firewallsAdvantage of hardware firewalls– Faster than software firewalls (more throughput)Faster than software firewalls (more throughput)
Disadvantages of hardware firewallsDisadvantages of hardware firewalls– You are limited by the firewall’s hardwareYou are limited by the firewall’s hardware
Number of interfaces, etc.Number of interfaces, etc.
– Usually filter incoming traffic only (link Ch 13i)Usually filter incoming traffic only (link Ch 13i)
Software FirewallsSoftware Firewalls
Advantages of software Advantages of software firewallsfirewalls– Customizable: can Customizable: can
interact with the user to interact with the user to provide more protectionprovide more protection
– You can easily add NICs You can easily add NICs to the server running the to the server running the firewall softwarefirewall software
Software FirewallsSoftware Firewalls
Disadvantages of software firewallsDisadvantages of software firewalls– You might have to worry about You might have to worry about
configuration problemsconfiguration problems– They rely on the OS on which they are They rely on the OS on which they are
runningrunning
Firewall TechnologiesFirewall Technologies
Network address translation (NAT)Network address translation (NAT)
Access control lists (Packet filtering)Access control lists (Packet filtering)
Stateful packet inspection (SPI)Stateful packet inspection (SPI)
Network Address Translation Network Address Translation (NAT)(NAT)
Internal private IP addresses are mapped Internal private IP addresses are mapped to public external IP addressesto public external IP addresses– Hides the internal infrastructureHides the internal infrastructure
Port Address Translation (PAT)Port Address Translation (PAT)– This allows thousands of internal IP This allows thousands of internal IP
addresses to be mapped to one external IP addresses to be mapped to one external IP addressaddress
– Each connection from the private network is Each connection from the private network is mapped to a different public portmapped to a different public port
192.168.1.101:1100 192.168.1.102:1100
192.168.1.102:1103
147.144.20.1:1201
147.144.20.1:1202
147.144.20.1:1203
Router providing NAT and PAT
Public Addresses
Private Addresses
Access Control ListsAccess Control Lists
A series of rules to A series of rules to control trafficcontrol traffic
CriteriaCriteria– Source IP addressSource IP address– Destination IP addressDestination IP address– Ports or servicesPorts or services– More possibilitiesMore possibilities
Same as “Packet Same as “Packet Filtering” Filtering”
Stateful Packet Inspection (SPI)Stateful Packet Inspection (SPI)
Stateful packet filters examine the current Stateful packet filters examine the current state of the networkstate of the network– If you have sent a request to a server, If you have sent a request to a server,
packets from that server may be allowed inpackets from that server may be allowed in– Packets from the same server might be Packets from the same server might be
blocked if no request was sent firstblocked if no request was sent first
State TableState Table
Stateful firewalls maintain aStateful firewalls maintain a state table state table showing the current connectionsshowing the current connections
ACK Port scanACK Port scan
Used to get information about a firewallUsed to get information about a firewall
Stateful firewalls track connection and Stateful firewalls track connection and block unsolicited ACK packetsblock unsolicited ACK packets
Stateless firewalls only block incoming Stateless firewalls only block incoming SYN packets, so you get a RST responseSYN packets, so you get a RST response
We covered this in chapter 5We covered this in chapter 5
Stateful Packet Inspection (SPI)Stateful Packet Inspection (SPI)
Stateful packet filters recognize types of Stateful packet filters recognize types of anomalies that most routers ignoreanomalies that most routers ignore
Stateless packet filters handle each packet Stateless packet filters handle each packet on an individual basison an individual basis– This makes them less effective against some This makes them less effective against some
attacksattacks
Implementing a FirewallImplementing a Firewall
Using only one firewall between a Using only one firewall between a company’s internal network and the company’s internal network and the Internet is dangerousInternet is dangerous– It leaves the company open to attack if a It leaves the company open to attack if a
hacker compromises the firewallhacker compromises the firewall
Use a demilitarized zone insteadUse a demilitarized zone instead
Demilitarized Zone (DMZ)Demilitarized Zone (DMZ)
DMZ is a small network containing DMZ is a small network containing resources available to Internet usersresources available to Internet users– Helps maintain security on the company’s Helps maintain security on the company’s
internal networkinternal network
Sits between the Internet and the internal Sits between the Internet and the internal networknetwork
It is sometimes referred to as a “perimeter It is sometimes referred to as a “perimeter network”network”
Understanding the Private Understanding the Private Internet Exchange (PIX) FirewallInternet Exchange (PIX) Firewall
Cisco PIX firewallCisco PIX firewall– One of the most popular firewalls on the One of the most popular firewalls on the
marketmarket
Configuration of the PIX FirewallConfiguration of the PIX Firewall
Working with a PIX firewall is similar to Working with a PIX firewall is similar to working with any other Cisco routerworking with any other Cisco router
Login promptLogin promptIf you are not authorized to be in this XYZ If you are not authorized to be in this XYZ Hawaii network device,Hawaii network device,
log out immediately!log out immediately!
User Access VerificationUser Access Verification
Password:Password:
– This banner serves a legal purposeThis banner serves a legal purpose– A banner that says “welcome” may prevent A banner that says “welcome” may prevent
prosecution of hackers who enterprosecution of hackers who enter
PIX Firewall FeaturesPIX Firewall Features
One PIX can be used to create a DMZOne PIX can be used to create a DMZ– See link Ch 13kSee link Ch 13k
PIX Firewall FeaturesPIX Firewall Features
Unicast Reverse Path ForwardingUnicast Reverse Path Forwarding– Also known as "reverse route lookup"Also known as "reverse route lookup"– Checks to see that packets have correct Checks to see that packets have correct
source IP addressessource IP addresses
Flood DefenderFlood Defender– Prevents SYN FloodsPrevents SYN Floods– Only a limited number of "embryonic Only a limited number of "embryonic
connections" are allowedconnections" are allowed
PIX Firewall FeaturesPIX Firewall Features
FragGuard and Virtual Re-AssemblyFragGuard and Virtual Re-Assembly– Re-assembles IP fragments to prevent some Re-assembles IP fragments to prevent some
DoS attacks, like the Ping of Death and DoS attacks, like the Ping of Death and TeardropTeardrop
LimitsLimits– DNS ResponsesDNS Responses– ActiveX controlsActiveX controls– Java appletsJava applets
I skipped pages 333-336I skipped pages 333-336
Microsoft ISAMicrosoft ISAInternet Security and Acceleration (ISA)Internet Security and Acceleration (ISA)
Microsoft’s software approach to firewallsMicrosoft’s software approach to firewalls
Microsoft Internet Security and Microsoft Internet Security and Acceleration (ISA) ServerAcceleration (ISA) Server– Software that runs on a Windows ServerSoftware that runs on a Windows Server– Functions as a software router, firewall, and Functions as a software router, firewall, and
IDS (Intrusion Detection System)IDS (Intrusion Detection System)
Microsoft ISAMicrosoft ISAISA protects your network from Internet ISA protects your network from Internet threatsthreats
Microsoft ISAMicrosoft ISAISA lets remote users connect securely, ISA lets remote users connect securely, handling authentication and encryptionhandling authentication and encryption
Image from microsoft.com, link Ch 13mImage from microsoft.com, link Ch 13m
Microsoft ISAMicrosoft ISA
ISA has the same functionality as any ISA has the same functionality as any hardware routerhardware router– Packet filtering to control incoming trafficPacket filtering to control incoming traffic– Application filtering through the examination Application filtering through the examination
of protocolsof protocols– Intrusion detection filtersIntrusion detection filters– Access policies to control outgoing trafficAccess policies to control outgoing traffic
IP Packet FiltersIP Packet Filters
ISA enables administrators to filter IP ISA enables administrators to filter IP traffic based on the following:traffic based on the following:– Source and destination IP addressSource and destination IP address– Network protocol, such as HTTPNetwork protocol, such as HTTP– Source port or destination portSource port or destination port
ISA provides a GUI for these ISA provides a GUI for these configurationsconfigurations– A network segment can be denied or allowed A network segment can be denied or allowed
HTTP access in the Remote Computer tabHTTP access in the Remote Computer tab
Application FiltersApplication Filters
Can accept or deny data from specific Can accept or deny data from specific applications or data containing specific applications or data containing specific contentcontent
SMTP filter can restrictSMTP filter can restrict– E-mail with specific attachmentsE-mail with specific attachments– E-mail from a specific user or domainE-mail from a specific user or domain– E-mail containing specific keywordsE-mail containing specific keywords– SMTP commandsSMTP commands
Application FiltersApplication Filters
Email can also be filtered based oEmail can also be filtered based o– Sender's nameSender's name– Sender's domainSender's domain– Keywords like VIAGRA or MortgageKeywords like VIAGRA or Mortgage
These techniques are not very effective—These techniques are not very effective—spammers know how to defeat themspammers know how to defeat them
Application FiltersApplication Filters
SMTP Commands SMTP Commands tabtab– Administrator can Administrator can
prevent a user prevent a user from running from running SMTP commandsSMTP commands
Application FiltersApplication Filters
FTP Access filterFTP Access filter
H.323 filterH.323 filter– real-time multimedia conferencesreal-time multimedia conferences
See link Ch 13nSee link Ch 13n
Intrusion Detection FiltersIntrusion Detection Filters
Analyze all traffic for possible known Analyze all traffic for possible known intrusionsintrusions– DNS intrusion detection filterDNS intrusion detection filter– POP filter POP filter – RPC filterRPC filter– SMTP filterSMTP filter– SOCKS filterSOCKS filter– Streaming Media filterStreaming Media filter– Web Proxy filterWeb Proxy filter
Intrusion Detection Systems Intrusion Detection Systems (IDSs)(IDSs)
Monitor network devices so that security Monitor network devices so that security administrators can identify attacks in progress administrators can identify attacks in progress and stop themand stop them
An IDS looks at the traffic and compares it with An IDS looks at the traffic and compares it with known exploitsknown exploits– Similar to virus software using a signature file to Similar to virus software using a signature file to
identify virusesidentify viruses
TypesTypes– Network-based IDSsNetwork-based IDSs
– Host-based IDSsHost-based IDSs
Network-Based and Host-Based Network-Based and Host-Based IDSsIDSs
Network-based IDSsNetwork-based IDSs– Monitor activity on network segmentsMonitor activity on network segments– They sniff traffic and alert a security They sniff traffic and alert a security
administrator when something suspicious administrator when something suspicious occursoccurs
See link Ch 13oSee link Ch 13o
Network-Based and Host-Based Network-Based and Host-Based IDSsIDSs
Host-based IDSsHost-based IDSs– The software is installed on the server you’re The software is installed on the server you’re
attempting to protect, like antivirus softwareattempting to protect, like antivirus software– Used to protect a critical network server or Used to protect a critical network server or
database serverdatabase server
Passive and Active IDSsPassive and Active IDSs
IDSs are categorized by how they react IDSs are categorized by how they react when they detect suspicious behaviorwhen they detect suspicious behavior– Passive systemsPassive systems
Send out an alert and log the activitySend out an alert and log the activity
Don't try to stop itDon't try to stop it
– Active systemsActive systemsLog events and send out alertsLog events and send out alerts
Can also interoperate with routers and firewalls to Can also interoperate with routers and firewalls to block the activity automaticallyblock the activity automatically
Understanding HoneypotsUnderstanding Honeypots
HoneypotHoneypot– Computer placed on the perimeter of a networkComputer placed on the perimeter of a network– Contains information intended to lure and then Contains information intended to lure and then
trap hackerstrap hackers
Computer is configured to have Computer is configured to have vulnerabilitiesvulnerabilities
GoalGoal– Keep hackers connected long enough so they Keep hackers connected long enough so they
can be traced backcan be traced back
How They WorkHow They Work
A honeypot appears to have important data A honeypot appears to have important data or sensitive information stored on itor sensitive information stored on it– Could store fake financial data that tempts Could store fake financial data that tempts
hackers to attempt browsing through the datahackers to attempt browsing through the data
Hackers will spend time attacking the Hackers will spend time attacking the honeypothoneypot– And stop looking for real vulnerabilities in the And stop looking for real vulnerabilities in the
company’s networkcompany’s network
Honeypots also enable security professionals Honeypots also enable security professionals to collect data on attackersto collect data on attackers
Commercial HoneypotsCommercial Honeypots
Open-Source HoneypotsOpen-Source Honeypots
How They Work (continued)How They Work (continued)
Virtual honeypotsVirtual honeypots– Honeypots created using software solutions Honeypots created using software solutions
instead of hardware devicesinstead of hardware devices– Example: HoneydExample: Honeyd
Project Honey PotProject Honey Pot
Web masters install Web masters install software on their software on their websiteswebsitesWhen spammers When spammers harvest email addresses harvest email addresses from sites, HoneyNet's from sites, HoneyNet's servers record the IP of servers record the IP of the harvesterthe harvester– Can help prosecute the Can help prosecute the
spammers and block the spammers and block the spamspam
Link Ch 13pLink Ch 13p
Uses a Capture Server and one or more Uses a Capture Server and one or more Capture ClientsCapture Clients– The clients run in virtual machinesThe clients run in virtual machines– Clients connect to suspect Web serversClients connect to suspect Web servers– If the client detects an infection, it alerts the If the client detects an infection, it alerts the
Capture Server and restores itself to a clean Capture Server and restores itself to a clean statestate
– The server gathers data about malicious The server gathers data about malicious websiteswebsites
See link Ch 13qSee link Ch 13q